You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Serge Knystautas <se...@lokitech.com> on 2000/07/11 05:24:37 UTC
Security bug in Tomcat on Windows
Looked through the mailing list archive and can't find anyone mentioning
this...
Platform: Tomcat 3.1 final on Windows (or any other case insensitive
file system)
Problem: Source code of JSP can be revealed by varying the extension.
Steps to reproduce:
1. Create a JSP that looks like this:
<% out.println("Hello world"); %>
and name it test.jsp.
2. Using a browser, access the file in the appropriate directory as
test.jsp... the JSP will execute normally.
3. Then access the file in the appropriate directory as test.JSP... you
will see the source code for the JSP.
Apparently the mapper isn't handling these case variations, so it's
falling through to retrieve the file as a binary file (rather than
through Jasper). I'm not sure if putting Apache in front of this helps
matters.
This seems like it shouldn't be too difficult to handle and get it fixed
before 3.2. Otherwise no one can really deploy Tomcat on Windows
without a major security risk.
Serge Knystautas
Loki Technologies
http://www.lokitech.com/
Re: Security bug in Tomcat on Windows
Posted by Danno Ferrin <sh...@earthlink.net>.
Wow, this iwas big a couple of years ago. I believe the way that apache
solved it is that if the string representation requested file is not
byte-identical to the served file name's cannonical form then it is a file
not found. Fixes the trailing slashes which was another way to get it IIRC.
----- Original Message -----
From: "Serge Knystautas" <se...@lokitech.com>
To: <to...@jakarta.apache.org>
Sent: Monday, July 10, 2000 10:41 PM
Subject: Re: Security bug in Tomcat on Windows
> No, I mean (using a browser), accessing http://<server>/xxxx.jsp and
> then accessing http://<server>/xxxx.JSP to get the source code for that
> page.
>
> Serge
>
> Arion Yu wrote:
> >
> > Hi!
> >
> > Are you meaning you are opening the JSP file using file://xxxx.jsp?
> >
> > Arion
> >
> > Serge Knystautas wrote:
> >
> > > Looked through the mailing list archive and can't find anyone
mentioning
> > > this...
> > >
> > > Platform: Tomcat 3.1 final on Windows (or any other case insensitive
> > > file system)
> > >
> > > Problem: Source code of JSP can be revealed by varying the extension.
> > >
> > > Steps to reproduce:
> > > 1. Create a JSP that looks like this:
> > >
> > > <% out.println("Hello world"); %>
> > >
> > > and name it test.jsp.
> > >
> > > 2. Using a browser, access the file in the appropriate directory as
> > > test.jsp... the JSP will execute normally.
> > > 3. Then access the file in the appropriate directory as test.JSP...
you
> > > will see the source code for the JSP.
> > >
> > > Apparently the mapper isn't handling these case variations, so it's
> > > falling through to retrieve the file as a binary file (rather than
> > > through Jasper). I'm not sure if putting Apache in front of this
helps
> > > matters.
> > >
> > > This seems like it shouldn't be too difficult to handle and get it
fixed
> > > before 3.2. Otherwise no one can really deploy Tomcat on Windows
> > > without a major security risk.
> > >
> > > Serge Knystautas
> > > Loki Technologies
> > > http://www.lokitech.com/
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> >
> > --
> > [This email and any files transmitted with it are confidential and may
> > contain information that is legally privileged. They are intended solely
for
> > the addressee(s). Access to this email by anyone else is unauthorized.
If
> > you are not the intended recipient, please delete it and notify the
sender
> > by email immediately; you should not copy or use it for any purpose, nor
> > disclose its contents to any other person. Thank you.]
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
Re: Security bug in Tomcat on Windows
Posted by Serge Knystautas <se...@lokitech.com>.
No, I mean (using a browser), accessing http://<server>/xxxx.jsp and
then accessing http://<server>/xxxx.JSP to get the source code for that
page.
Serge
Arion Yu wrote:
>
> Hi!
>
> Are you meaning you are opening the JSP file using file://xxxx.jsp?
>
> Arion
>
> Serge Knystautas wrote:
>
> > Looked through the mailing list archive and can't find anyone mentioning
> > this...
> >
> > Platform: Tomcat 3.1 final on Windows (or any other case insensitive
> > file system)
> >
> > Problem: Source code of JSP can be revealed by varying the extension.
> >
> > Steps to reproduce:
> > 1. Create a JSP that looks like this:
> >
> > <% out.println("Hello world"); %>
> >
> > and name it test.jsp.
> >
> > 2. Using a browser, access the file in the appropriate directory as
> > test.jsp... the JSP will execute normally.
> > 3. Then access the file in the appropriate directory as test.JSP... you
> > will see the source code for the JSP.
> >
> > Apparently the mapper isn't handling these case variations, so it's
> > falling through to retrieve the file as a binary file (rather than
> > through Jasper). I'm not sure if putting Apache in front of this helps
> > matters.
> >
> > This seems like it shouldn't be too difficult to handle and get it fixed
> > before 3.2. Otherwise no one can really deploy Tomcat on Windows
> > without a major security risk.
> >
> > Serge Knystautas
> > Loki Technologies
> > http://www.lokitech.com/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
> --
> [This email and any files transmitted with it are confidential and may
> contain information that is legally privileged. They are intended solely for
> the addressee(s). Access to this email by anyone else is unauthorized. If
> you are not the intended recipient, please delete it and notify the sender
> by email immediately; you should not copy or use it for any purpose, nor
> disclose its contents to any other person. Thank you.]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: Security bug in Tomcat on Windows
Posted by Arion Yu <ar...@stt.com.hk>.
Hi!
Are you meaning you are opening the JSP file using file://xxxx.jsp?
Arion
Serge Knystautas wrote:
> Looked through the mailing list archive and can't find anyone mentioning
> this...
>
> Platform: Tomcat 3.1 final on Windows (or any other case insensitive
> file system)
>
> Problem: Source code of JSP can be revealed by varying the extension.
>
> Steps to reproduce:
> 1. Create a JSP that looks like this:
>
> <% out.println("Hello world"); %>
>
> and name it test.jsp.
>
> 2. Using a browser, access the file in the appropriate directory as
> test.jsp... the JSP will execute normally.
> 3. Then access the file in the appropriate directory as test.JSP... you
> will see the source code for the JSP.
>
> Apparently the mapper isn't handling these case variations, so it's
> falling through to retrieve the file as a binary file (rather than
> through Jasper). I'm not sure if putting Apache in front of this helps
> matters.
>
> This seems like it shouldn't be too difficult to handle and get it fixed
> before 3.2. Otherwise no one can really deploy Tomcat on Windows
> without a major security risk.
>
> Serge Knystautas
> Loki Technologies
> http://www.lokitech.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
--
[This email and any files transmitted with it are confidential and may
contain information that is legally privileged. They are intended solely for
the addressee(s). Access to this email by anyone else is unauthorized. If
you are not the intended recipient, please delete it and notify the sender
by email immediately; you should not copy or use it for any purpose, nor
disclose its contents to any other person. Thank you.]